Microsoft's Achilles' Heel: Office

The cyber attack last month against a U.S.-based public utility came wrapped in a Microsoft PowerPoint document featuring holiday illustrations and heartwarming reflections. This PowerPoint file, which resembled an innocuous version that was being forwarded around the Web by many sentimental e-mail users, had been modified to include a Trojan horse program designed to open a secret backdoor into the utility's internal computer network.

The company called in to investigate the attack, Verisign's iDefense Labs in Sterling, Va., also found two separate Microsoft Word files on computers inside the company's network that had also been tainted with malicious software code designed to give attackers control over the machines. None of the files were detected as malicious by the anti-virus software used by the company.

Ken Dunham, director of iDefense's rapid response team, said similarities in the computer code of all three malicious programs strongly suggested the handiwork of a Chinese hacking group known to write computer viruses for hire. And in each case, the attackers designed their hidden viruses to take advantage of security holes recently discovered in the Microsoft Office programs.

The attack investigated by iDefense is just one example of one of the biggest problems facing Microsoft: The seemingly endless string of vulnerabilities discovered last year in the software giant's Office software, the productivity suite that includes the widely used Excel, Outlook, PowerPoint and Word programs. Microsoft patched a total of 41 critical vulnerabilities in its various Office products last year, accounting for more than one third of the 104 "critical" flaws the company patched in all of 2006. Microsoft assigns a patch its most dire "critical" rating if the update fixes a vulnerability that bad guys could exploit with little to no action on the part of user, aside from maybe visiting a malicious Web site or viewing a specially crafted e-mail.

To put last year's 41 critical Office patches into perspective, consider that Microsoft shipped a total of 37 critical updates for all of its software products in 2005. None of the patch or vulnerability numbers cited in this story takes into account three still-unpatched vulnerabilities present in Microsoft Word, two of which Microsoft has acknowledged that criminals are actively exploiting.

In at least four cases in 2006, Microsoft rushed to issue patches to fix Office flaws that it first learned about after bad guys already were exploiting them for financial or personal gain.

For its part, nearly each time last year that Microsoft acknowledged attacks on unpatched flaws in its software, the company assured customers that the attacks were "very limited" and "very targeted" in scope. Indeed, at least when it comes to attacks this past year that leveraged unpatched Microsoft Office flaws, the anecdotes from victims have been few and far between, suggesting that the company's assurances are correct. It may also be the case that the victims of such attacks are government agencies or businesses that simply do not want to risk the potential for negative publicity should news of a network security breach attack reach the press.

As with the incident at the utility company documented by iDefense, attacks reported to the SANS Internet Storm Center in Bethesda, Md., often are of the targeted variety, reported by government agencies or contractors who wish to remain anonymous but perhaps also see the value in spreading a word of warning to others.

Johannes Ullrich, chief technology officer for the Storm Center, said he received private reports in 2006 from a defense contracting company that was hit by a targeted virus attack that took advantage of an unpatched PowerPoint flaw. In another case reported to SANS last year, the security of a federal financial regulatory agency was compromised by a Microsoft Word document that took advantage of an unpatched security hole in the software to install computer code designed to let attackers remotely control infected systems.

Ullrich said both attacks arrived in e-mails that appeared as though they were sent from an insider, and included references to co-workers or ongoing projects, suggesting the attackers had fairly detailed knowledge of their targets. And both attacks were based in part on virus variants previously unidentified by security experts.

"These were definitely variants that we hadn't seen anywhere else," Ullrich said.

Microsoft's claims notwithstanding, the company has shifted its advice to customers in determining how to deal with e-mail attachments that could harbor potentially dangerous Office documents. Consider the very first Office security update that Microsoft shipped in 2006: A patch the company pushed out on St. Patrick's Day to correct an Excel bug that an enterprising researcher had tried to sell at an eBay auction in December 2005.

In the "workarounds" and "mitigation" sections of its accompanying security advisory, Microsoft strongly advised customers: "Do not open or save Microsoft Excel files that you receive from un-trusted sources."

Fast forward to October, when Microsoft released the last of its Office security updates for the year. In the accompanying advisories, the company appropriately extended its warning about unsafe attachments to files sent even by people the recipient knows and trusts: "Do not open or save Microsoft Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources."

Most security experts I interviewed over the past several weeks say they expect to continue to see a large number of Office flaws disclosed and/or exploited throughout 2007, and that older, more vulnerable versions of Office will continue to be a key source of vulnerability for users who upgrade to Microsoft Vista, the new version of Microsoft's Windows operating system.

See Thursday's posting on Microsoft's record for turning around patches in its Internet Explorer Web browser.

With very little effort one can simply replace the MS products with OpenOffice. This free suite of software is generally compatible with MS Office, and to my knowledge, does not contain the egregious security flaws of the MS products.

The caveat here are the words "to my knowledge." I have yet to hear of successful exploits of this suite.

Interesting that SANS just posted this week about a remote exploit in OpenOffice, see below. Note the file format -- WMF -- and all of Microsoft's experience this year dealing with WMF file format flaws (the first anecdote in the blog post above is about a very similar WMF flaw in Windows.

In order to apply MS-Office patches the User needs to locate and insert the original Office CD. In my experience, the very few Users that are even aware that they need to patch Office stop the process for lack of time to search for the correct CD. This vulnerability, along with the exploits, is likely to cripple the huge number of MS-Office installations in 2007. I have switched to OpenOffice on all all systems without a single compatibility issue to-date.

thw2006 - this was true several years ago, but Microsoft really streamlined the mechanics of their update process a while back to allow patches without the install CD, perhaps with a larger download. Compared to Adobe, the Microsoft Updates are now amazingly easy.

I haven't had the chance to work with OpenOffice yet. Have many patches been issued for it? Does the suite find them automatically and are they easy to install?

Microsoft tweaked the Office updater site (http://office.microsoft.com) to allow some versions of office to update without the CD. It also made Windows/Microsoft Update so that it also scans for and installs any needed Office patches, but that does not work on Office 2000. Office 2000 users still need to manually scan for updates, and may need to have their CDs handy.

I've been a Microsoft Office Certified Expert since the 90s and between these exploits and the stunningly poor coding of the new Office 2007's OXML format, my company is spending 2007 switching over to the FOSS OpenOffice. We tested it directly against the Office 2007 beta throughout 2006 and the vote was unanimously in favor of OpenOffice. As a big fan of Word and Excel, even I was surprised at how well OpenOffice Writer and Calc could hang with Microsoft Office, only without the bloat or danger.

Is Microsoft putting out hastily-programmed poor products, or is it just that easy for any hacker to exploit unseen security holes? It strikes me that if MS is just sloppy and profit-driven, that there is a market-based solution. When the US gov't. purchases custom programming services and web services, they have extensive security and testing requirements. As the US Gov't. and prime contractors with US data on their computers surely comprise a huge purchasing block, why can't they change their security standards and force MS To get its act together? Or, even better, incentivize a new major vendor in the market.

"Interesting that SANS just posted this week about a remote exploit in OpenOffice, see below. "

The initial reports on this were, unfortunately, confusing, but it appears that the current version of OpenOffice, 2.1.0, is NOT affected. The following E-mail excerpt is from the BUGTRAQ mailing list:
==
Subject: Correction (High Risk Vulnerability in the OpenOffice and StarOffice Suites)
Date: Thu Jan 4 16:03:39 2007
From: "NGSSoftware Insight Security Research"
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org

Only versions prior to OpenOffice 2.1.0 are vulnerable to the heap overflows
found by John.
Cheers,
David Litchfield
==

I've got to say it - I'm delighted. Microsoft used H1B alien workers to produce VISTA and their crummy software upgrades. Workers who will steal and sell the plans for the B2 bomber wont balk at selling criminals the know how to hack into Office or VISTA or SQL2005 or anythign else Microsoft produces. Any company using a Microsoft product is flat out insane.

It sounds like OpenOffice's security update system is kind of messy/inconvenient.

"OpenOffice has uploaded the patch to its Web site. People must manually install the file in place of its vulnerable predecessor or upgrade to the latest version of the software, OpenOffice 2.1. Open-source suppliers such as Red Hat have released their own patches."

it amazes me just how much folks cling to their microsoft products, even with the imminent threat of annihilation. their products are bloated, ugly and expensive. there are alternatives and some of them are free. i'm sure they aren't as fancy as office, but how powerful does a word processor need to be anyway?

The issue of Ms Office is legacy. We know that a system has its lifecycle and if we need to apply a lot of emergency fixes and patches to it, for certain period of time, the system becomes un-maintainable and should be re-designed or replaced by something totally new. Or, otherwise, it will requires more and more resource to fix new bugs. It is particularly true for complex system. OpenOffice has the advantage in two areas: it is relatively new and it is less popular. The number of attack is increasing in the last year when more people switch to OpenOffice. Many fraudsters today are businessmen. They do calculate the return before they spend the resources.

I use OpenOffice at home but my company use Microsoft products. I have encountered so far just some minor compatibility issues with spreadsheets and documents with Chinese or Japanese characters but overall they work quite well with each other.